Getting to know a privacy pro

On July 5, 2010, the Mexican Federal Law on Protection of Personal Data Held by Private Parties was officially published. This legislation establishes minimum standards that people who use others’ personal data are obliged to comply with to protect privacy. Additionally, in order to detail the law, its Secondary Regulation was issued in December 2011. With this, the legal framework for data protection in Mexico was officially enacted. This achievement signifies a change of paradigm in the Mexican society, as for now, personal information is owned by the data subject and no longer by the person who has it or uses it. Lina Ornelas is the general director for privacy self-regulation at Mexico’s Federal Institute for Access to Information and Data Protection (IFAI). Ornelas works to understand the way private parties who process personal data think and act to find their incentives to protect personal data, she says. She also works to give such parties tools to enable compliance with the law and promote responsible data processing. Ornelas is in charge of developing tools to facilitate regulated entities’ compliance with the law, helping them to create privacy notices, for example, through a privacy notice generator available mainly to small and medium enterprises. Her office has published recommendations such as data controller designation and is working to develop model contracts for regulated entities to follow. She says that self-regulatory mechanisms will allow data controllers to voluntarily establish and follow additional measures from those already provided by the law. “We have the mission to change the perspective in which these parties see and handle personal information,” Ornelas says. Working with the Ministry of Economy in Mexico, Ornelas’ team will now work to create a self-regulatory framework which will include a privacy certification system.

caught up with Ornelas to learn a bit more about her work as director for privacy self-regulation and the ways that Mexico’s new law may or may not be changing Mexico’s landscape when it comes to data protection.

In 2002, I was working as the General Director of Legislative Studies at the State Department, where I had the opportunity to participate in the group that drafted the initiative the Access to Information Act. In this law, we included a data protection chapter that established principles for the executive branch and also for other branches. A year after, I came to work in the IFAI as Directorate of Classified Information and Personal Data. This was very important considering one of the reasons to classify information is personal data because it is considered confidential, and you need the consent of the data subject to disclose said information to third parties. In 2004, I collaborated in the issuance of some guidelines for privacy, which were published in 2005. That was when we at IFAI noticed that we didn’t have data protection as a fundamental right, and we started working along with a group that promoted a constitutional reform. On the other hand, it took us nine years to have a law, but fortunately, being late does not necessarily mean less, principally because we had the opportunity to see how the European law was formed, and at the same time I was working in APEC in different groups that gave me the chance to attend to several interesting discussions which were very useful as I took little pieces of different models in order to help in the creation of the Data Protection Law. Our law is considered nowadays a hybrid of the European, U.S. and Canadian models. At the end, it was decided that the IFAI would be the authority, not only for the public sector, but also to the private sector. In 2006, I became a member of the IAPP and I had the opportunity to represent the IFAI in different kinds of meetings, which also gave me valuable insights in this arena.

It is indeed a unique position that needs to be very creative and careful as well. Our law has an article promoting self-regulation mechanisms, and it says clearly they have to go above the law to be considered as such. Normally, self-regulation sounds very weak, but our law has a different perspective as it changes completely the way a lot of different sectors see this type of regulation. In Mexico, accountability is a very new thing. For us, companies can decide voluntarily to adopt a self-regulation mechanism, but once they are in, they must comply with several duties and if not, a consequence must take place. To detail these aspects, our law provides that IFAI, jointly with the Ministry of Economy, will elaborate specific guidelines. I also think self-regulation is a cornerstone of the whole international system. We have a good law in Mexico, and it is well-recognized as the first law that complies with the Madrid Standards of 2009, but there is little to do in cases where the database is not in our territory. Self-regulation could also be a response even if the personal data is not in Mexico. Likewise, other benefits of self-regulation are that it implies a competitive advantage before consumers and that effective self-regulation mechanisms could be taken into account by the IFAI in order to low fines in case of a law breach occurs.

We are aware that, for some people, self-regulation has a negative connotation that concentrates primarily on avoiding state regulations. But there are other ways to look at self-regulation. For us, as I said before, these mechanisms can be used wisely by enterprises or organizations seeking to attract more consumers by adopting best privacy practices. A framework regarding third-party privacy certifiers will establish the characteristics and functions the actors must satisfy as well as the conditions in order to grant or revoke privacy certifications. We have to be very careful in this. It has to be well-supervised. There are always people that are going to make profit from this, but what we want is something deeper. What I want to see is that IFAI can have different arms in different organizations working as if they were one authority. Companies are very interested in self-regulation. In fact, every week we receive notice from a different group interested in preparing their code of conduct. Our main challenge is with small and medium enterprises because they do not even know the law exists. We have to create the culture first, and then let them know that they will receive requests from data subjects which they have to be ready to respond and also have security measures to comply with the law as a whole.

People are more or less aware that there is something going wrong because they receive a lot of phone calls or they do not feel very secure; they gave their data to a company, and it is now in the hands of another company. They know that, but they do not realize they have a fundamental right and do not even realize there is a law. But I think it has changed a lot. The European Union is looking at giving us adequacy. And, for instance, the media has started publishing cases of situations where they considered something is not proportionate, like a bus company that takes pictures of passengers when they take the bus and does not ask for their consent. We are receiving a lot of questions from people and a lot of sectors are aware. It is a good starting point. But the weakest part of the chain is the data subject, because I do not think they are aware. They know “my private life is important,” but they do not know they have a mechanism to complain. What the IFAI is trying to create, in the mind of data subjects as in the data controller’s mind, is, in one word: awareness. If the IFAI focus goes to teaching people the value of their data, our work is halfway done.

In general, we can hardly say that there is an “average Mexican citizen;” the problem is that there is not an average Mexican as there is not an average Chilean or Canadian either. We can say that the privacy issues are a concern, mostly, in the metropolitan areas, which are the most developed areas of the country. This represents to us one of the biggest challenges that the IFAI has to overcome. We have to permeate the privacy concerns to all the layers of society and reach all of the corners of the country to build consensual vision in personal data protection matters.

What I want to do is to raise awareness in people so they can push industry towards complying. I would like to see someone say, “I don’t see a privacy notice at this company, so I will change to another one.” I would like to see people making decisions by themselves from the data protection perspective. And especially with children; I have been working on data protection in social networking for industry and for parents in how we can give tools to children in a broader sense to take care of what information they give, because they are not aware sometimes that this information can be used for different purposes or even misused. When your car is stolen or your bag or something, you notice. But when your data is stolen you do not even perceive it. So the biggest challenge in this area is to raise awareness, and we are focused in that direction.